“Shadows Kill” — Mirai DDoS botnet testing large scale attacks, sending threatening messages about UK and attacking researchers

Mirai, a Denial of Service toolkit, is made up of lots of actors across botnets. The source code is open source, meaning anybody can download it and join the club.

After the historic DDoS attack which downed Dyn, in turn impacting DNS services to a very large number of websites, MalwareTech.com setup monitoring of Mirai botnets — introducing honeypots to monitor attack traffic.

The attacks are live tweeted as @MiraiAttacks

Many of the botnets are simply attacking Minecraft servers and doing technically terrible attacks on websites, e.g. a Farming Simulator game mod site.

We have seen a botnet called #14 attack significantly bigger targets. With monitoring it is clear they are extremely successful at attacking things. So far, these tests appear to be a test nature.

Transit providers confirm over 500gbit/sec of traffic is output during attacks. Attacks last a short period. It is the largest of the Mirai botnets and the domain controlling it pre-dates the attacks on Dyn. The capacity makes it one of the biggest DDoS botnets ever seen. Given the volume of traffic, it appears to be the owned by the actor which attacked Dyn.

Liberia

Over the past week we’ve seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access. From monitoring we can see websites hosted in country going offline during the attacks — additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack. The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.

Shadows Kill botnet

Last night, while tweeting about the attacks, the botnet started sending messages:

It also attacked MalwareTech.com, which hosts @MiraiAttacks and who are performing the monitoring:

Additionally, a DNS flood was initiated, as picked up by a third party monitor:

While I was live tweeting about the issue, this message was sent via the botnet:

I am calling botnet #14 “Shadows Kill”, based on the message they sent.

As of 1PM today UK time, the botnet continues to intermittently attack Liberia telecom providers who co-own the submarine cable.

Monitoring is continuing of the botnet, but so far it appears they are testing denial of service techniques.